foundation of cryptography 0368 4162 01 lecture 5
play

Foundation of Cryptography (0368-4162-01), Lecture 5 Interactive - PowerPoint PPT Presentation

Sep 22, 2022 •394 likes •1.51k views

Foundation of Cryptography (0368-4162-01), Lecture 5 Interactive Proofs and Zero Knowledge Iftach Haitner, Tel Aviv University December 4, 2011 IP for GNI Part I Interactive Proofs IP for GNI Interactive Vs. Interactive Proofs Definition 1 (

  1. ZK Proof for GI Black-box ZK Zero Knowledge for all NP Zero knowledge Proof Definition 6 (computational ZK ) An interactive proof ( P , V ) is computational zero-knowledge proof ( CZKP ) for L , if ∀ PPT V ∗ , ∃ PPT S such that {� ( P , V ∗ )( x ) �} x ∈L ≈ c { S ( x ) } x ∈L .

  2. ZK Proof for GI Black-box ZK Zero Knowledge for all NP Zero knowledge Proof Definition 6 (computational ZK ) An interactive proof ( P , V ) is computational zero-knowledge proof ( CZKP ) for L , if ∀ PPT V ∗ , ∃ PPT S such that {� ( P , V ∗ )( x ) �} x ∈L ≈ c { S ( x ) } x ∈L . Perfect ZK ( PZKP )/statistical ZK ( SZKP ) – the above dist. are identicallly/statistically close, even for unbounded V ∗ .

  3. ZK Proof for GI Black-box ZK Zero Knowledge for all NP Zero knowledge Proof Definition 6 (computational ZK ) An interactive proof ( P , V ) is computational zero-knowledge proof ( CZKP ) for L , if ∀ PPT V ∗ , ∃ PPT S such that {� ( P , V ∗ )( x ) �} x ∈L ≈ c { S ( x ) } x ∈L . Perfect ZK ( PZKP )/statistical ZK ( SZKP ) – the above dist. are identicallly/statistically close, even for unbounded V ∗ . ZK is a property of the prover. 1

  4. ZK Proof for GI Black-box ZK Zero Knowledge for all NP Zero knowledge Proof Definition 6 (computational ZK ) An interactive proof ( P , V ) is computational zero-knowledge proof ( CZKP ) for L , if ∀ PPT V ∗ , ∃ PPT S such that {� ( P , V ∗ )( x ) �} x ∈L ≈ c { S ( x ) } x ∈L . Perfect ZK ( PZKP )/statistical ZK ( SZKP ) – the above dist. are identicallly/statistically close, even for unbounded V ∗ . ZK is a property of the prover. 1 ZK only required to hold with respect to true statements. 2

  5. ZK Proof for GI Black-box ZK Zero Knowledge for all NP Zero knowledge Proof Definition 6 (computational ZK ) An interactive proof ( P , V ) is computational zero-knowledge proof ( CZKP ) for L , if ∀ PPT V ∗ , ∃ PPT S such that {� ( P , V ∗ )( x ) �} x ∈L ≈ c { S ( x ) } x ∈L . Perfect ZK ( PZKP )/statistical ZK ( SZKP ) – the above dist. are identicallly/statistically close, even for unbounded V ∗ . ZK is a property of the prover. 1 ZK only required to hold with respect to true statements. 2 wlg. V ∗ ’s outputs is its “view". 3

  6. ZK Proof for GI Black-box ZK Zero Knowledge for all NP Zero knowledge Proof Definition 6 (computational ZK ) An interactive proof ( P , V ) is computational zero-knowledge proof ( CZKP ) for L , if ∀ PPT V ∗ , ∃ PPT S such that {� ( P , V ∗ )( x ) �} x ∈L ≈ c { S ( x ) } x ∈L . Perfect ZK ( PZKP )/statistical ZK ( SZKP ) – the above dist. are identicallly/statistically close, even for unbounded V ∗ . ZK is a property of the prover. 1 ZK only required to hold with respect to true statements. 2 wlg. V ∗ ’s outputs is its “view". 3 Trivial to achieve for L ∈ BPP 4

  7. ZK Proof for GI Black-box ZK Zero Knowledge for all NP Zero knowledge Proof Definition 6 (computational ZK ) An interactive proof ( P , V ) is computational zero-knowledge proof ( CZKP ) for L , if ∀ PPT V ∗ , ∃ PPT S such that {� ( P , V ∗ )( x ) �} x ∈L ≈ c { S ( x ) } x ∈L . Perfect ZK ( PZKP )/statistical ZK ( SZKP ) – the above dist. are identicallly/statistically close, even for unbounded V ∗ . ZK is a property of the prover. 1 ZK only required to hold with respect to true statements. 2 wlg. V ∗ ’s outputs is its “view". 3 Trivial to achieve for L ∈ BPP 4 Extension: auxiliary input 5

  8. ZK Proof for GI Black-box ZK Zero Knowledge for all NP Zero knowledge Proof Definition 6 (computational ZK ) An interactive proof ( P , V ) is computational zero-knowledge proof ( CZKP ) for L , if ∀ PPT V ∗ , ∃ PPT S such that {� ( P , V ∗ )( x ) �} x ∈L ≈ c { S ( x ) } x ∈L . Perfect ZK ( PZKP )/statistical ZK ( SZKP ) – the above dist. are identicallly/statistically close, even for unbounded V ∗ . ZK is a property of the prover. 1 ZK only required to hold with respect to true statements. 2 wlg. V ∗ ’s outputs is its “view". 3 Trivial to achieve for L ∈ BPP 4 Extension: auxiliary input 5 The “standard" NP proof is typically not zero knowledge 6

  9. ZK Proof for GI Black-box ZK Zero Knowledge for all NP Zero knowledge Proof Definition 6 (computational ZK ) An interactive proof ( P , V ) is computational zero-knowledge proof ( CZKP ) for L , if ∀ PPT V ∗ , ∃ PPT S such that {� ( P , V ∗ )( x ) �} x ∈L ≈ c { S ( x ) } x ∈L . Perfect ZK ( PZKP )/statistical ZK ( SZKP ) – the above dist. are identicallly/statistically close, even for unbounded V ∗ . ZK is a property of the prover. 1 ZK only required to hold with respect to true statements. 2 wlg. V ∗ ’s outputs is its “view". 3 Trivial to achieve for L ∈ BPP 4 Extension: auxiliary input 5 The “standard" NP proof is typically not zero knowledge 6 Next class — ZK for all NP 7

  10. ZK Proof for GI Black-box ZK Zero Knowledge for all NP Section 2 ZK Proof for GI

  11. ZK Proof for GI Black-box ZK Zero Knowledge for all NP ZK Proof for Graph Isomorphism Idea: route finding

  12. ZK Proof for GI Black-box ZK Zero Knowledge for all NP ZK Proof for Graph Isomorphism Idea: route finding Protocol 7 ( ( P , V ) ) Common input x = ( G 0 = ([ m ] , E 0 ) , G 1 = ([ m ] , E 1 )) P ’s input a permutation π such that π ( E 1 ) = E 0 P chooses π ′ ← Π m and sends E = π ′ ( E 0 ) to V 1 V sends b ← { 0 , 1 } to P 2 if b = 0, P sets π ′′ = π ′ , otherwise, it sends π ′′ = π ′ ◦ π to V 3 V accepts iff π ′′ ( E b ) = E 4

  13. ZK Proof for GI Black-box ZK Zero Knowledge for all NP ZK Proof for Graph Isomorphism Idea: route finding Protocol 7 ( ( P , V ) ) Common input x = ( G 0 = ([ m ] , E 0 ) , G 1 = ([ m ] , E 1 )) P ’s input a permutation π such that π ( E 1 ) = E 0 P chooses π ′ ← Π m and sends E = π ′ ( E 0 ) to V 1 V sends b ← { 0 , 1 } to P 2 if b = 0, P sets π ′′ = π ′ , otherwise, it sends π ′′ = π ′ ◦ π to V 3 V accepts iff π ′′ ( E b ) = E 4 Claim 8 The above protocol is SZKP for GI, with perfect completeness and soundness 1 2 .

  14. ZK Proof for GI Black-box ZK Zero Knowledge for all NP Proving Claim 8 Completeness Clear

  15. ZK Proof for GI Black-box ZK Zero Knowledge for all NP Proving Claim 8 Completeness Clear Soundness If exist j ∈ { 0 , 1 } for which ∄ π ′ ∈ Π m with π ′ ( E j ) = E , then V rejects w.p. at least 1 2 .

  16. ZK Proof for GI Black-box ZK Zero Knowledge for all NP Proving Claim 8 Completeness Clear Soundness If exist j ∈ { 0 , 1 } for which ∄ π ′ ∈ Π m with π ′ ( E j ) = E , then V rejects w.p. at least 1 2 . Assuming V rejects w.p. less than 1 2 and lett π 0 and π 1 be the values guaranteed by the above observation (i.e., mapping E 0 and E 1 to E respectively).

  17. ZK Proof for GI Black-box ZK Zero Knowledge for all NP Proving Claim 8 Completeness Clear Soundness If exist j ∈ { 0 , 1 } for which ∄ π ′ ∈ Π m with π ′ ( E j ) = E , then V rejects w.p. at least 1 2 . Assuming V rejects w.p. less than 1 2 and lett π 0 and π 1 be the values guaranteed by the above observation (i.e., mapping E 0 and E 1 to E respectively). Then π − 1 0 ( π 1 ( E 1 )) = π 0

  18. ZK Proof for GI Black-box ZK Zero Knowledge for all NP Proving Claim 8 Completeness Clear Soundness If exist j ∈ { 0 , 1 } for which ∄ π ′ ∈ Π m with π ′ ( E j ) = E , then V rejects w.p. at least 1 2 . Assuming V rejects w.p. less than 1 2 and lett π 0 and π 1 be the values guaranteed by the above observation (i.e., mapping E 0 and E 1 to E respectively). Then π − 1 0 ( π 1 ( E 1 )) = π 0 = ⇒ ( G 0 , G 1 ) ∈ GI.

  19. ZK Proof for GI Black-box ZK Zero Knowledge for all NP Proving Claim 8 Completeness Clear Soundness If exist j ∈ { 0 , 1 } for which ∄ π ′ ∈ Π m with π ′ ( E j ) = E , then V rejects w.p. at least 1 2 . Assuming V rejects w.p. less than 1 2 and lett π 0 and π 1 be the values guaranteed by the above observation (i.e., mapping E 0 and E 1 to E respectively). Then π − 1 0 ( π 1 ( E 1 )) = π 0 = ⇒ ( G 0 , G 1 ) ∈ GI. ZK Idea: for ( G 0 , G 1 ) ∈ GI, it is easy to generate a random transcript for Steps 1-2, and to be able to open it with prob 1 2 .

  20. ZK Proof for GI Black-box ZK Zero Knowledge for all NP The simulator For a start we consider a deterministic cheating verifier V ∗ that never aborts.

  21. ZK Proof for GI Black-box ZK Zero Knowledge for all NP The simulator For a start we consider a deterministic cheating verifier V ∗ that never aborts. Algorithm 9 ( S ) Input: x = ( G 0 = ([ m ] , E 0 ) , G 1 = ([ m ] , E 1 )) Do | x | times: Choose b ′ ← { 0 , 1 } and π ← Π m , and “send" π ( E b ′ ) to 1 V ∗ ( x ) . Let b be V ∗ ’s answer. If b = b ′ , send π to V ∗ , output V ∗ ’s 2 output and halt. Otherwise, rewind the simulation to its first step. Abort

  22. ZK Proof for GI Black-box ZK Zero Knowledge for all NP The simulator For a start we consider a deterministic cheating verifier V ∗ that never aborts. Algorithm 9 ( S ) Input: x = ( G 0 = ([ m ] , E 0 ) , G 1 = ([ m ] , E 1 )) Do | x | times: Choose b ′ ← { 0 , 1 } and π ← Π m , and “send" π ( E b ′ ) to 1 V ∗ ( x ) . Let b be V ∗ ’s answer. If b = b ′ , send π to V ∗ , output V ∗ ’s 2 output and halt. Otherwise, rewind the simulation to its first step. Abort Claim 10 {� ( P , V ∗ )( x ) �} x ∈ GI ≈ { S ( x ) } x ∈ GI

  23. ZK Proof for GI Black-box ZK Zero Knowledge for all NP Proving Claim 10 Algorithm 11 ( S ′ ) Input: x = ( G 0 = ([ m ] , E 0 ) , G 1 = ([ m ] , E 1 )) Do | x | times: Choose π ← Π m and sends E = π ( E 0 ) to V ∗ ( x ) . 1 Let b be V ∗ ’s answer. 2 2 , find π ′ such that E = π ′ ( E b ) and send it to V ∗ , W.p. 1 output V ∗ ’s output and halt. Otherwise, rewind the simulation to its first step. Abort

  24. ZK Proof for GI Black-box ZK Zero Knowledge for all NP Proving Claim 10 Algorithm 11 ( S ′ ) Input: x = ( G 0 = ([ m ] , E 0 ) , G 1 = ([ m ] , E 1 )) Do | x | times: Choose π ← Π m and sends E = π ( E 0 ) to V ∗ ( x ) . 1 Let b be V ∗ ’s answer. 2 2 , find π ′ such that E = π ′ ( E b ) and send it to V ∗ , W.p. 1 output V ∗ ’s output and halt. Otherwise, rewind the simulation to its first step. Abort Claim 12 S ( x ) ≡ S ′ ( x ) for any x ∈ GI.

  25. ZK Proof for GI Black-box ZK Zero Knowledge for all NP Proving Claim 10 Algorithm 11 ( S ′ ) Input: x = ( G 0 = ([ m ] , E 0 ) , G 1 = ([ m ] , E 1 )) Do | x | times: Choose π ← Π m and sends E = π ( E 0 ) to V ∗ ( x ) . 1 Let b be V ∗ ’s answer. 2 2 , find π ′ such that E = π ′ ( E b ) and send it to V ∗ , W.p. 1 output V ∗ ’s output and halt. Otherwise, rewind the simulation to its first step. Abort Claim 12 S ( x ) ≡ S ′ ( x ) for any x ∈ GI. Proof : ?

  26. ZK Proof for GI Black-box ZK Zero Knowledge for all NP Proving Claim 10 cont. Algorithm 13 ( S ′′ ) Input: x = ( G 0 = ([ m ] , E 0 ) , G 1 = ([ m ] , E 1 )) Choose π ← Π m and sends E = π ( E 0 ) to V ∗ ( x ) . 1 Find π ′ such that E = π ′ ( E b ) , send it to V ∗ , output V ∗ ’s 2 output and halt.

  27. ZK Proof for GI Black-box ZK Zero Knowledge for all NP Proving Claim 10 cont. Algorithm 13 ( S ′′ ) Input: x = ( G 0 = ([ m ] , E 0 ) , G 1 = ([ m ] , E 1 )) Choose π ← Π m and sends E = π ( E 0 ) to V ∗ ( x ) . 1 Find π ′ such that E = π ′ ( E b ) , send it to V ∗ , output V ∗ ’s 2 output and halt. Claim 14 ∀ x ∈ GI it holds that � ( P , V ∗ ( x )) � ≡ S ′′ ( x ) . 1

  28. ZK Proof for GI Black-box ZK Zero Knowledge for all NP Proving Claim 10 cont. Algorithm 13 ( S ′′ ) Input: x = ( G 0 = ([ m ] , E 0 ) , G 1 = ([ m ] , E 1 )) Choose π ← Π m and sends E = π ( E 0 ) to V ∗ ( x ) . 1 Find π ′ such that E = π ′ ( E b ) , send it to V ∗ , output V ∗ ’s 2 output and halt. Claim 14 ∀ x ∈ GI it holds that � ( P , V ∗ ( x )) � ≡ S ′′ ( x ) . 1 SD ( S ′′ ( x ) , S ′ ( x )) ≤ 2 −| x | . 2

  29. ZK Proof for GI Black-box ZK Zero Knowledge for all NP Proving Claim 10 cont. Algorithm 13 ( S ′′ ) Input: x = ( G 0 = ([ m ] , E 0 ) , G 1 = ([ m ] , E 1 )) Choose π ← Π m and sends E = π ( E 0 ) to V ∗ ( x ) . 1 Find π ′ such that E = π ′ ( E b ) , send it to V ∗ , output V ∗ ’s 2 output and halt. Claim 14 ∀ x ∈ GI it holds that � ( P , V ∗ ( x )) � ≡ S ′′ ( x ) . 1 SD ( S ′′ ( x ) , S ′ ( x )) ≤ 2 −| x | . 2 Proof : ?

  30. ZK Proof for GI Black-box ZK Zero Knowledge for all NP Proving Claim 10 cont. Algorithm 13 ( S ′′ ) Input: x = ( G 0 = ([ m ] , E 0 ) , G 1 = ([ m ] , E 1 )) Choose π ← Π m and sends E = π ( E 0 ) to V ∗ ( x ) . 1 Find π ′ such that E = π ′ ( E b ) , send it to V ∗ , output V ∗ ’s 2 output and halt. Claim 14 ∀ x ∈ GI it holds that � ( P , V ∗ ( x )) � ≡ S ′′ ( x ) . 1 SD ( S ′′ ( x ) , S ′ ( x )) ≤ 2 −| x | . 2 Proof : ? (1) is clear.

  31. ZK Proof for GI Black-box ZK Zero Knowledge for all NP Proving Claim 14(2) Fix ( E , π ′ ) and let α = Pr S ′′ [( E , π ′ )] .

  32. ZK Proof for GI Black-box ZK Zero Knowledge for all NP Proving Claim 14(2) Fix ( E , π ′ ) and let α = Pr S ′′ [( E , π ′ )] . It holds that | x | ( 1 − 1 2 ) i − 1 · 1 Pr S ′ [( E , π ′ )] = α · � 2 i = 1 = ( 1 − 2 −| x | ) · α

  33. ZK Proof for GI Black-box ZK Zero Knowledge for all NP Proving Claim 14(2) Fix ( E , π ′ ) and let α = Pr S ′′ [( E , π ′ )] . It holds that | x | ( 1 − 1 2 ) i − 1 · 1 Pr S ′ [( E , π ′ )] = α · � 2 i = 1 = ( 1 − 2 −| x | ) · α Hence, SD ( S ′′ ( x ) , S ′ ( x )) ≤ 2 −| x |

  34. ZK Proof for GI Black-box ZK Zero Knowledge for all NP Remarks Randomized verifiers 1

  35. ZK Proof for GI Black-box ZK Zero Knowledge for all NP Remarks Randomized verifiers 1 Aborting verifiers 2

  36. ZK Proof for GI Black-box ZK Zero Knowledge for all NP Remarks Randomized verifiers 1 Aborting verifiers – Normalize aborting probability 2

  37. ZK Proof for GI Black-box ZK Zero Knowledge for all NP Remarks Randomized verifiers 1 Aborting verifiers – Normalize aborting probability 2 Auxiliary input 3

  38. ZK Proof for GI Black-box ZK Zero Knowledge for all NP Remarks Randomized verifiers 1 Aborting verifiers – Normalize aborting probability 2 Auxiliary input 3 Negligible soundness error? 4

  39. ZK Proof for GI Black-box ZK Zero Knowledge for all NP Remarks Randomized verifiers 1 Aborting verifiers – Normalize aborting probability 2 Auxiliary input 3 Negligible soundness error? Sequentiall/Parallel 4 composition

  40. ZK Proof for GI Black-box ZK Zero Knowledge for all NP Remarks Randomized verifiers 1 Aborting verifiers – Normalize aborting probability 2 Auxiliary input 3 Negligible soundness error? Sequentiall/Parallel 4 composition Perfect ZK for “expected time simulators" 5

  41. ZK Proof for GI Black-box ZK Zero Knowledge for all NP Remarks Randomized verifiers 1 Aborting verifiers – Normalize aborting probability 2 Auxiliary input 3 Negligible soundness error? Sequentiall/Parallel 4 composition Perfect ZK for “expected time simulators" 5 “Black box" simulation 6

  42. ZK Proof for GI Black-box ZK Zero Knowledge for all NP Section 3 Black-box ZK

  43. ZK Proof for GI Black-box ZK Zero Knowledge for all NP Black-box simulators Definition 15 (Black-box simulator) ( P , V ) is CZKP with black-box simulation for L , if ∃ oracle-aided PPT S s.t. for every deterministic polynomial-time a V ∗ : { ( P ( w x ) , V ∗ ( z ))( x ) } x ∈L ≈ c { S V ∗ ( x , z x ) ( x ) } x ∈L for any { ( w x , z x ) ∈ R L ( x ) × { 0 , 1 } ∗ } x ∈L .

  44. ZK Proof for GI Black-box ZK Zero Knowledge for all NP Black-box simulators Definition 15 (Black-box simulator) ( P , V ) is CZKP with black-box simulation for L , if ∃ oracle-aided PPT S s.t. for every deterministic polynomial-time a V ∗ : { ( P ( w x ) , V ∗ ( z ))( x ) } x ∈L ≈ c { S V ∗ ( x , z x ) ( x ) } x ∈L for any { ( w x , z x ) ∈ R L ( x ) × { 0 , 1 } ∗ } x ∈L . Prefect and statistical variants are defined analogously. a Length of auxiliary input does not count for the running time.

  45. ZK Proof for GI Black-box ZK Zero Knowledge for all NP Black-box simulators Definition 15 (Black-box simulator) ( P , V ) is CZKP with black-box simulation for L , if ∃ oracle-aided PPT S s.t. for every deterministic polynomial-time a V ∗ : { ( P ( w x ) , V ∗ ( z ))( x ) } x ∈L ≈ c { S V ∗ ( x , z x ) ( x ) } x ∈L for any { ( w x , z x ) ∈ R L ( x ) × { 0 , 1 } ∗ } x ∈L . Prefect and statistical variants are defined analogously. a Length of auxiliary input does not count for the running time. “Most simulators" are black box 1

  46. ZK Proof for GI Black-box ZK Zero Knowledge for all NP Black-box simulators Definition 15 (Black-box simulator) ( P , V ) is CZKP with black-box simulation for L , if ∃ oracle-aided PPT S s.t. for every deterministic polynomial-time a V ∗ : { ( P ( w x ) , V ∗ ( z ))( x ) } x ∈L ≈ c { S V ∗ ( x , z x ) ( x ) } x ∈L for any { ( w x , z x ) ∈ R L ( x ) × { 0 , 1 } ∗ } x ∈L . Prefect and statistical variants are defined analogously. a Length of auxiliary input does not count for the running time. “Most simulators" are black box 1 Strictly weaker then general simulation! 2

  47. ZK Proof for GI Black-box ZK Zero Knowledge for all NP Section 4 Zero Knowledge for all NP

  48. ZK Proof for GI Black-box ZK Zero Knowledge for all NP CZKP for 3COL CZKP for 3COL Assuming that OWFs exists, we give a CZKP for 3COL . We show how to transform it for any L ∈ NP (using that 3COL ∈ NPC ).

  49. ZK Proof for GI Black-box ZK Zero Knowledge for all NP CZKP for 3COL CZKP for 3COL Assuming that OWFs exists, we give a CZKP for 3COL . We show how to transform it for any L ∈ NP (using that 3COL ∈ NPC ). Definition 16 ( 3COL ) G = ( M , E ) ∈ 3COL, if ∃ φ : M �→ [ 3 ] s.t. φ ( u ) � = φ ( v ) for every ( u , v ) ∈ E .

  50. ZK Proof for GI Black-box ZK Zero Knowledge for all NP CZKP for 3COL CZKP for 3COL Assuming that OWFs exists, we give a CZKP for 3COL . We show how to transform it for any L ∈ NP (using that 3COL ∈ NPC ). Definition 16 ( 3COL ) G = ( M , E ) ∈ 3COL, if ∃ φ : M �→ [ 3 ] s.t. φ ( u ) � = φ ( v ) for every ( u , v ) ∈ E . We use commitment schemes.

  51. ZK Proof for GI Black-box ZK Zero Knowledge for all NP CZKP for 3COL The protocol Let π 3 be the set of all permutations over [ 3 ] .

  52. ZK Proof for GI Black-box ZK Zero Knowledge for all NP CZKP for 3COL The protocol Let π 3 be the set of all permutations over [ 3 ] . We use perfectly binding commitment Com (statistically binding?).

  53. ZK Proof for GI Black-box ZK Zero Knowledge for all NP CZKP for 3COL The protocol Let π 3 be the set of all permutations over [ 3 ] . We use perfectly binding commitment Com (statistically binding?). Protocol 17 ( ( P , V ) ) Common input: Graph G = ( M , E ) with n = | G | P’s input: a (valid) coloring φ of G P chooses π ← Π 3 and sets ψ = π ◦ φ 1 ∀ v ∈ M : P commits to ψ ( v ) using Com ( 1 n ) . 2 Let c v and d v be the resulting commitment and decommitment. V sends e = ( u , v ) ← E to P 3 P sends ( d u , ψ ( u )) , ( d v , ψ ( v )) to V 4 V verifies that (1) both decommitments are valid, (2) 5 ψ ( u ) , ψ ( v ) ∈ [ 3 ] and (3) ψ ( u ) � = ψ ( v ) .

  54. ZK Proof for GI Black-box ZK Zero Knowledge for all NP CZKP for 3COL Claim 18 The above protocol is a CZKP for 3COL, with perfect completeness and soundness 1 / | E | .

  55. ZK Proof for GI Black-box ZK Zero Knowledge for all NP CZKP for 3COL Claim 18 The above protocol is a CZKP for 3COL, with perfect completeness and soundness 1 / | E | . Completeness: Clear Soundness: Let { c v } v ∈ M be the commitments resulting from an interaction of V with an arbitrary P ∗ .

  56. ZK Proof for GI Black-box ZK Zero Knowledge for all NP CZKP for 3COL Claim 18 The above protocol is a CZKP for 3COL, with perfect completeness and soundness 1 / | E | . Completeness: Clear Soundness: Let { c v } v ∈ M be the commitments resulting from an interaction of V with an arbitrary P ∗ . Define φ : M �→ [ 3 ] as follows: ∀ v ∈ M : let φ ( v ) be the (single) value that it is possible to decommit c v into (if not in [ 3 ] , set φ ( v ) = 1).

  57. ZK Proof for GI Black-box ZK Zero Knowledge for all NP CZKP for 3COL Claim 18 The above protocol is a CZKP for 3COL, with perfect completeness and soundness 1 / | E | . Completeness: Clear Soundness: Let { c v } v ∈ M be the commitments resulting from an interaction of V with an arbitrary P ∗ . Define φ : M �→ [ 3 ] as follows: ∀ v ∈ M : let φ ( v ) be the (single) value that it is possible to decommit c v into (if not in [ 3 ] , set φ ( v ) = 1). If G / ∈ 3COL, then ∃ ( u , v ) ∈ E s.t. ψ ( u ) = ψ ( v ) .

  58. ZK Proof for GI Black-box ZK Zero Knowledge for all NP CZKP for 3COL Claim 18 The above protocol is a CZKP for 3COL, with perfect completeness and soundness 1 / | E | . Completeness: Clear Soundness: Let { c v } v ∈ M be the commitments resulting from an interaction of V with an arbitrary P ∗ . Define φ : M �→ [ 3 ] as follows: ∀ v ∈ M : let φ ( v ) be the (single) value that it is possible to decommit c v into (if not in [ 3 ] , set φ ( v ) = 1). If G / ∈ 3COL, then ∃ ( u , v ) ∈ E s.t. ψ ( u ) = ψ ( v ) . Hence V rejects such x w.p. a least 1 / | E |

  59. ZK Proof for GI Black-box ZK Zero Knowledge for all NP CZKP for 3COL Proving ZK Fix a deterministic, non-aborting V ∗ that gets no auxiliary input.

  60. ZK Proof for GI Black-box ZK Zero Knowledge for all NP CZKP for 3COL Proving ZK Fix a deterministic, non-aborting V ∗ that gets no auxiliary input. Algorithm 19 ( S ) Input: A graph G = ( M , E ) with n = | G | Do n · | E | times: Choose e ′ = ( u , v ) ← E . Set ψ ( u ) ← [ 3 ] , 1 ψ ( v ) ← [ 3 ] \ { ψ ( u ) } , and ψ ( w ) = 1 for w ∈ M \ { u , v } ∀ v ∈ M : commit to ψ ( v ) to V ∗ (resulting in c v and d v ) 2 Let e be the edge sent by V ∗ . 3 If e = e ′ , send ( d u , ψ ( u )) , ( d v , ψ ( v )) to V ∗ , output V ∗ ’s output and halt. Otherwise, rewind the simulation to its first step. Abort

  61. ZK Proof for GI Black-box ZK Zero Knowledge for all NP CZKP for 3COL Proving ZK cont. Claim 20 { ( P ( w x ) , V ∗ )( x ) } x ∈ 3COL ≈ c { S V ∗ ( x ) ( x ) } x ∈ 3COL, for any { w x ∈ R 3COL ( x ) } x ∈ 3COL.

  62. ZK Proof for GI Black-box ZK Zero Knowledge for all NP CZKP for 3COL Consider the following (inefficient simulator) Algorithm 21 ( S ′ ) Input: G = ( V , E ) with n = | G | Find (using brute force) a valid coloring φ of G Do n · | E | times Act as the honest prover does given private input φ 1 Let e be the edge sent by V ∗ . 2 W.p. 1 / | E | , S ′ sends ( ψ ( u ) , d u ) , ( ψ ( v ) , d v ) to V ∗ , output V ∗ ’s output and halt. Otherwise, rewind the simulation to its first step. Abort

  63. ZK Proof for GI Black-box ZK Zero Knowledge for all NP CZKP for 3COL Consider the following (inefficient simulator) Algorithm 21 ( S ′ ) Input: G = ( V , E ) with n = | G | Find (using brute force) a valid coloring φ of G Do n · | E | times Act as the honest prover does given private input φ 1 Let e be the edge sent by V ∗ . 2 W.p. 1 / | E | , S ′ sends ( ψ ( u ) , d u ) , ( ψ ( v ) , d v ) to V ∗ , output V ∗ ’s output and halt. Otherwise, rewind the simulation to its first step. Abort Claim 22 { S V ∗ ( x ) ( x ) } x ∈ 3COL ≈ c { S ′ V ∗ ( x ) ( x ) } x ∈ 3COL

  64. ZK Proof for GI Black-box ZK Zero Knowledge for all NP CZKP for 3COL Consider the following (inefficient simulator) Algorithm 21 ( S ′ ) Input: G = ( V , E ) with n = | G | Find (using brute force) a valid coloring φ of G Do n · | E | times Act as the honest prover does given private input φ 1 Let e be the edge sent by V ∗ . 2 W.p. 1 / | E | , S ′ sends ( ψ ( u ) , d u ) , ( ψ ( v ) , d v ) to V ∗ , output V ∗ ’s output and halt. Otherwise, rewind the simulation to its first step. Abort Claim 22 { S V ∗ ( x ) ( x ) } x ∈ 3COL ≈ c { S ′ V ∗ ( x ) ( x ) } x ∈ 3COL Proof : ?

  65. ZK Proof for GI Black-box ZK Zero Knowledge for all NP CZKP for 3COL Proving Claim 22 Assume ∃ PPT D, p ∈ poly and an infinite set I ⊆ 3COL s.t. � � Pr [ D ( | x | , S V ∗ ( x ) ( x )) = 1 ] − Pr [ D ( | x | , S ′ V ∗ ( x ) ( x )) = 1 ] � � ≥ 1 / p ( | x | ) � � for all x ∈ I .

  66. ZK Proof for GI Black-box ZK Zero Knowledge for all NP CZKP for 3COL Proving Claim 22 Assume ∃ PPT D, p ∈ poly and an infinite set I ⊆ 3COL s.t. � � Pr [ D ( | x | , S V ∗ ( x ) ( x )) = 1 ] − Pr [ D ( | x | , S ′ V ∗ ( x ) ( x )) = 1 ] � � ≥ 1 / p ( | x | ) � � for all x ∈ I . Hence, ∃ PPT R ∗ and b � = b ′ ∈ [ 3 ] such that { View R ∗ ( S ( b ) , R ∗ ( x ))( 1 | x | ) } x ∈I �≈ c { View R ∗ ( S ( b ′ ) , R ∗ ( x ))( 1 | x | ) } x ∈I where S is the sender in Com.

  67. ZK Proof for GI Black-box ZK Zero Knowledge for all NP CZKP for 3COL Proving Claim 22 Assume ∃ PPT D, p ∈ poly and an infinite set I ⊆ 3COL s.t. � Pr [ D ( | x | , S V ∗ ( x ) ( x )) = 1 ] − Pr [ D ( | x | , S ′ V ∗ ( x ) ( x )) = 1 ] � � � ≥ 1 / p ( | x | ) � � for all x ∈ I . Hence, ∃ PPT R ∗ and b � = b ′ ∈ [ 3 ] such that { View R ∗ ( S ( b ) , R ∗ ( x ))( 1 | x | ) } x ∈I �≈ c { View R ∗ ( S ( b ′ ) , R ∗ ( x ))( 1 | x | ) } x ∈I where S is the sender in Com. We critically used the non-uniform security of Com

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Foundation of Cryptography (0368-4162-01), Lecture 0 Adminstration + Introduction Iftach

Foundation of Cryptography (0368-4162-01), Lecture 0 Adminstration + Introduction Iftach

Foundation of Cryptography (0368-4162-01), Lecture 0 Adminstration + Introduction Iftach Haitner, Tel Aviv University November 1, 2011 Administration Course Topics Part I Administration and Course Overview Administration Course Topics

714 views • 24 slides
Foundation of Cryptography (0368-4162-01), Lecture 7 MACs and Signatures Iftach Haitner, Tel

Foundation of Cryptography (0368-4162-01), Lecture 7 MACs and Signatures Iftach Haitner, Tel

Message Authentication Code (MAC) Constructions Signature Schemes OWFs = Signatures Foundation of Cryptography (0368-4162-01), Lecture 7 MACs and Signatures Iftach Haitner, Tel Aviv University December 27, 2011 Message Authentication

1.25k views • 89 slides
Foundation of Cryptography (0368-4162-01), Lecture 3 Hardcore Predicates for Any One-way Function

Foundation of Cryptography (0368-4162-01), Lecture 3 Hardcore Predicates for Any One-way Function

The Information Theoretic Case The Computational Case Foundation of Cryptography (0368-4162-01), Lecture 3 Hardcore Predicates for Any One-way Function Iftach Haitner, Tel Aviv University November 22, 2011 The Information Theoretic Case The

1.03k views • 85 slides
Foundation of Cryptography (0368-4162-01), Lecture 4 Pseudorandom Functions Iftach Haitner, Tel

Foundation of Cryptography (0368-4162-01), Lecture 4 Pseudorandom Functions Iftach Haitner, Tel

Function Families PRF from OWF PRP from PRF Applications Foundation of Cryptography (0368-4162-01), Lecture 4 Pseudorandom Functions Iftach Haitner, Tel Aviv University November 29, 2011 Function Families PRF from OWF PRP from PRF

1.17k views • 58 slides
Foundation of Cryptography (0368-4162-01), Lecture 8 Encryption Schemes Iftach Haitner, Tel Aviv

Foundation of Cryptography (0368-4162-01), Lecture 8 Encryption Schemes Iftach Haitner, Tel Aviv

Definitions Constructions Active Adversaries Foundation of Cryptography (0368-4162-01), Lecture 8 Encryption Schemes Iftach Haitner, Tel Aviv University January 3 17, 2012 Definitions Constructions Active Adversaries Section 1

1.33k views • 112 slides
Foundation of Cryptography (0368-4162-01), Lecture 1 One Way Functions Iftach Haitner, Tel Aviv

Foundation of Cryptography (0368-4162-01), Lecture 1 One Way Functions Iftach Haitner, Tel Aviv

Notation One Way Functions Foundation of Cryptography (0368-4162-01), Lecture 1 One Way Functions Iftach Haitner, Tel Aviv University November 1-8, 2011 Notation One Way Functions Section 1 Notation Notation One Way Functions Notation I

988 views • 67 slides
Foundation of Cryptography (0368-4162-01), Lecture 2 Pseudorandom Generators Iftach Haitner, Tel

Foundation of Cryptography (0368-4162-01), Lecture 2 Pseudorandom Generators Iftach Haitner, Tel

Foundation of Cryptography (0368-4162-01), Lecture 2 Pseudorandom Generators Iftach Haitner, Tel Aviv University Tel Aviv University. February 25, 2014 Iftach Haitner (TAU) Foundation of Cryptography February 25, 2014 1 / 26 Part I

1.38k views • 76 slides
Foundation of Cryptography (0368-4162-01), Intoduction Adminstration + Introduction Iftach

Foundation of Cryptography (0368-4162-01), Intoduction Adminstration + Introduction Iftach

Foundation of Cryptography (0368-4162-01), Intoduction Adminstration + Introduction Iftach Haitner, Tel Aviv University Tel Aviv University. February 18, 2014 Iftach Haitner (TAU) Foundation of Cryptography February 18, 2014 1 / 16 Part I

763 views • 34 slides
Public-Key Cryptography Public-Key Cryptography Lecture 9 Public-Key Cryptography Lecture 9

Public-Key Cryptography Public-Key Cryptography Lecture 9 Public-Key Cryptography Lecture 9

Public-Key Cryptography Public-Key Cryptography Lecture 9 Public-Key Cryptography Lecture 9 CCA Security SIM-CCA Security (PKE) Recv Send PK/Enc SK/Dec Replay Filter Secure (and correct) if: s.t. output of is distributed

1.26k views • 101 slides
Foundation of Cryptography, Lecture 5 MACs and Signatures Iftach Haitner, Tel Aviv University

Foundation of Cryptography, Lecture 5 MACs and Signatures Iftach Haitner, Tel Aviv University

Foundation of Cryptography, Lecture 5 MACs and Signatures Iftach Haitner, Tel Aviv University Tel Aviv University. March 17, 2013 Iftach Haitner (TAU) Foundation of Cryptography March 17, 2013 1 / 39 Part I Message Authentication Codes

1.41k views • 113 slides
Foundation of Cryptography, Lecture 7 Non-Interactive ZK and Proof of Knowledge Iftach Haitner,

Foundation of Cryptography, Lecture 7 Non-Interactive ZK and Proof of Knowledge Iftach Haitner,

Foundation of Cryptography, Lecture 7 Non-Interactive ZK and Proof of Knowledge Iftach Haitner, Tel Aviv University Tel Aviv University. April 1, 2014 Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 1 / 33 Part I

1.79k views • 152 slides
Quantum Cryptography Lecture 28 Quantum Cryptography Quantum Cryptography Quantum information:

Quantum Cryptography Lecture 28 Quantum Cryptography Quantum Cryptography Quantum information:

Quantum Cryptography Lecture 28 Quantum Cryptography Quantum Cryptography Quantum information: Using microscopic physical state of quantum systems (spin of atoms/sub-atomic particles, polarization of photons etc.) to encode information

1.95k views • 154 slides
Lecture 7 Public Key Cryptography I: Encryption + Signatures [lecture slides are adapted from

Lecture 7 Public Key Cryptography I: Encryption + Signatures [lecture slides are adapted from

Lecture 7 Public Key Cryptography I: Encryption + Signatures [lecture slides are adapted from previous slides by Prof. Gene Tsudik] 1 Public Key Cryptography Asymmetric cryptography Invented in 1974-1978 (Diffie-Hellman and

478 views • 23 slides
Applied Cryptography Lecture 1 Applied Cryptography Lecture 1 Our first encounter with secrecy:

Applied Cryptography Lecture 1 Applied Cryptography Lecture 1 Our first encounter with secrecy:

Applied Cryptography Lecture 1 Applied Cryptography Lecture 1 Our first encounter with secrecy: Secret-Sharing Secrecy Secrecy Cryptography is all about controlling access to information Access to learning and/or influencing

2.01k views • 171 slides
Lecture 8 Public Key Cryptography (Diffie-Hellman and RSA) 1 Public Key Cryptography

Lecture 8 Public Key Cryptography (Diffie-Hellman and RSA) 1 Public Key Cryptography

Lecture 8 Public Key Cryptography (Diffie-Hellman and RSA) 1 Public Key Cryptography Asymmetric cryptography Invented in 1974-1978 (Diffie-Hellman and Rivest-Shamir- Adleman) Two keys: private (SK), public (PK) Encryption:

256 views • 22 slides
Lecture 7 Public Key Cryptography (Diffie-Hellman and RSA) 1 Public Key Cryptography

Lecture 7 Public Key Cryptography (Diffie-Hellman and RSA) 1 Public Key Cryptography

Lecture 7 Public Key Cryptography (Diffie-Hellman and RSA) 1 Public Key Cryptography Asymmetric cryptography Invented in 1974-1978 (Diffie-Hellman and Rivest-Shamir- Adleman) Two keys: private (SK), public (PK) Encryption:

810 views • 42 slides
Prefect Applications Class of 2021 Tuesday, 19 July 2016 LONGSANDS ACADEMY PREFECT ge 4 Key

Prefect Applications Class of 2021 Tuesday, 19 July 2016 LONGSANDS ACADEMY PREFECT ge 4 Key

ge 4 Key ey Stage The best of you Prefect Applications Class of 2021 Tuesday, 19 July 2016 LONGSANDS ACADEMY PREFECT ge 4 Key ey SYSTEM Stage The best of you There are three Committees which you can choose to work within: 1.

246 views • 7 slides
From Bayesian Nash Equilibrium (BNE) to Perfect Bayesian Equilibrium (PBE) Flix Muoz-Garca

From Bayesian Nash Equilibrium (BNE) to Perfect Bayesian Equilibrium (PBE) Flix Muoz-Garca

From Bayesian Nash Equilibrium (BNE) to Perfect Bayesian Equilibrium (PBE) Flix Muoz-Garca School of Economic Sciences Washington State University BNEs and Sequential rationality So far we have learned how to nd BNEs in incomplete

1.04k views • 60 slides
Early Years Workload Survey 2019 Update to DfE Learn, Explore, Debate events. July 2019 Michael

Early Years Workload Survey 2019 Update to DfE Learn, Explore, Debate events. July 2019 Michael

Early Years Workload Survey 2019 Update to DfE Learn, Explore, Debate events. July 2019 Michael Freeston. Director of Quality Improvement. Early Years Alliance 74% regularly stressed about work 57% suffered anxiety 26% depression 61% no

367 views • 16 slides
North Tyneside Health and Wellbeing Board Annual Presentation of Commissioning Intentions 7

North Tyneside Health and Wellbeing Board Annual Presentation of Commissioning Intentions 7

27/02/2019 North Tyneside Health and Wellbeing Board Annual Presentation of Commissioning Intentions 7 March 2019 Introduction Commissioning intentions are: Communicated with the HWBB Reflect the JSNA and Joint Health and

260 views • 7 slides
Generation of Monotone Graph Structures Endre Boros MSIS Department and RUTCOR, Rutgers

Generation of Monotone Graph Structures Endre Boros MSIS Department and RUTCOR, Rutgers

Monotone Generation Hardness Efficient Generation Generation of Monotone Graph Structures Endre Boros MSIS Department and RUTCOR, Rutgers University AGTAC, Koper, June 16-19, 2015 Based on joint results with K. Elbassioni, V. Gurvich,

936 views • 89 slides
Various Topics Outline 1. Dynamic (time-varying) Optimization Problems 2. Stochastic

Various Topics Outline 1. Dynamic (time-varying) Optimization Problems 2. Stochastic

HEURISTIC OPTIMIZATION Various Topics Outline 1. Dynamic (time-varying) Optimization Problems 2. Stochastic Optimization Problems 3. Continuous (real-parameter) Optimization Problems 4. SLS Algorithms Engineering Heuristic Optimization 2016

185 views • 18 slides
Lift Off Learning Skills Applications and Admissions

Lift Off Learning Skills Applications and Admissions

Lift Off Learning Skills Applications and Admissions The Personal Statement

463 views • 33 slides
INDUCTION OF PREFECTS Congratulations to the elected Head Boy and Head Girl and their retinue of

INDUCTION OF PREFECTS Congratulations to the elected Head Boy and Head Girl and their retinue of

Issue 03, March 14, 2008 THOUGHT FOR THE DAY The superior man thinks always of virtue; the common man thinks of comfort. Confucius INDUCTION OF PREFECTS Congratulations to the elected Head Boy and Head Girl and their retinue of

293 views • 6 slides

More recommend